Channels

Services

Android vulnerability permits data theft

Security expert Thomas Cannon has discovered a security vulnerability in the Android browser which can be exploited by attackers to read local files when a smartphone user visits a crafted web site. The vulnerability appears to affect all versions of Android, including the current version 2.2 (Froyo). Our colleagues at heise Security have been able to reproduce the exploit on both a Google Nexus One and a Samsung Galaxy Tab, both running Android 2.2. Cannon reports that he has verified the vulnerability on an HTC Desire (2.2) and on the Android emulator (1.5, 1.6 and 2.2) in the SDK.

Because the browser runs in a sandbox, the vulnerability can only be used to access user data and cannot be used to access system directories. An attacker would also need to know the path for any file they wished to access. One suitable target might be photographs taken using the smartphone, which are saved with sequential numbers, or consistently named application files, some of which – online banking apps for example – can also contain confidential data.

Cannon demonstrated the vulnerability to heise Security by copying the contents of the file ct.txt from the main directory of a heise Security memory card to his server – all heise Security did was click on a link he supplied in Android's standard browser. The attacker's server sends an HTML file spiked with JavaScript to the browser, which downloads it automatically and then, by redirecting to the downloaded file, executes it with local privileges. This allows the script to access the file system and upload files to the attacker's server.

A pop-up warning that a file is being downloaded does automatically flash up briefly during transfer of the crafted file, but does not offer the option of stopping the transfer. Users can protect themselves by deactivating JavaScript in their browser settings or using a browser such as Opera Mobile, which always asks for permission before downloading files. There are also other ways – email attachments being one example – for appropriately crafted HTML files to find their way onto users' phones.

Cannon alerted Google to the vulnerability, and less than 20 minutes later Google responded, informing him that it was looking into the problem. Shortly thereafter, following a request from Google, he removed most of the details of the exploit from his web site. Google has now got to the bottom of the problem and is working on a patch, which is currently undergoing evaluation. This will not, however, find its way into Android 2.3 (Gingerbread), the release of which is imminent. It is instead expected to be included in a future update and it could be some time before it finds its way onto many users' phones. This is Cannon's justification for having gone public with the problem.